Date: Fri, 24 Apr 2009 22:59:09 +0200 From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de> To: freebsd-current@freebsd.org, freebsd-questions@freebsd.org Subject: pam_groupdn/pam_member_attribute does not with OpenLDAP/PAM and FreeBSD. Why? Message-ID: <49F2281D.7030109@mail.zedat.fu-berlin.de>
next in thread | raw e-mail | index | archive | help
On our FreeBSD 7.2/8.0 driven infrastructure we use OpenLDAP: openldap-sasl-client-2.4.16 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.16 Open source LDAP server implementation pam_ldap-1.8.4_1 A pam module for authenticating with LDAP >From O'Reilly's OpenLDAP book and other sources I got the information, that tha tags pam_groupdn pam_member_attribute can be used in conjunction with 'uid' to restrict access to a specific host to those which are member of the group specified by pam_groupdn, as long as the group object supports multi-value-attributes like memberUid. Well, this is not working with FreeBSD any way! Suppose I define in /usr/local/etc/ldap.conf pam_groupdn cn=myGroup,ou=groups,dc=foo,dc=bar (objectClass: posixGroup) pam_member_attribute memberUid And within this group there is my memberUid: memberUid: ohartmann Now I try to login to the specific box and get the warning: You must be a memberUid of cn=myGroup,ou=groups,dc=foo,dc=bar to login. ... and I can login, no tmatter whether I'm in the group or not. What ist happening here? Why is the documentaion telling me this should work and why isn't FreeBSD/PAM doing so? I'm confused! Any help appreciated. Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49F2281D.7030109>